Analysis
-
max time kernel
152s -
max time network
167s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 13:34
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Exploit.CVE-2018-0798.4.7145.26581.rtf
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Exploit.CVE-2018-0798.4.7145.26581.rtf
Resource
win10v2004-20220812-en
General
-
Target
SecuriteInfo.com.Exploit.CVE-2018-0798.4.7145.26581.rtf
-
Size
7KB
-
MD5
48761a16dd96c10f032b32475c748e37
-
SHA1
7dc04a878bb273a6406b68cdafeb71b62dccf1ad
-
SHA256
d213681bdb5ce1ca9f353ca5c8b6d45fca9de882b79f6e6708898096817427dd
-
SHA512
513e265766b595f9dce532209c60913e89dfe813eb4c1e0fec724c9549fe03cedb7de1aa4ec2f8505f7d9b4202ddd4fd11a2bf9d6464b0ca924a862ab02f0c0c
-
SSDEEP
192:iz9E7DX8Lu5f0FwU4b06jHmi02d2dZrSrlSO5IUfMAogjJHm:4UwKLHYGHX02sZrSr7FMAo8lm
Malware Config
Extracted
formbook
4.1
wh23
ow9vyvfee.com
alvis.one
mutantgobz.claims
plynofon.com
southofkingst.store
nuvidamedspa.com
coffeeforyou56.com
opaletechevents.com
momobar.life
abcmousu.com
learnicd-11.com
tipokin.xyz
kahvezevki.com
suratdimond.com
oldartists.best
infoepic.info
mattresslabo.com
skarlmotors.com
cl9319x.xyz
med49app.net
vivarellistaging2.com
gwnv.link
ogurecsbatvoi-7.online
littlelionplaycafe.com
floridaindianrivergeoves.com
eyelashacademysurrey.com
elprobetre.store
sexfan.biz
westbay.casino
carmana.store
optitude.finance
neo-hub.us
meadowwoodanimalclinic.com
ok-experts.com
magnoliabymr.com
fenomini.com
miaowu.work
skipermind.com
winstim.com
14123ninemile.com
plegablescr.com
bloommagiccbdburaliste.com
focusing-garef.com
krumobilept.com
norbercik.online
qteko.com
growupmarketingservices.com
alem-holdings.com
entreinnovator3.com
mainlydivision.space
module.live
gtrewegehwewe5.asia
jd8wme.cyou
pingacx757.com
big-teamwork.com
lesyeuxdanslespoches.com
yutighjkdfgjkd.shop
yourstoolsample.com
musntgrumble.com
jurgenremmerie.com
ebade.xyz
johnollieconstruction.com
bioprofumeria.shop
sarithebrand.com
taiguszab.online
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/788-74-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/776-81-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/776-86-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 3 1868 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
name.exeqaiuyqqkou.exeqaiuyqqkou.exepid process 1788 name.exe 680 qaiuyqqkou.exe 788 qaiuyqqkou.exe -
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXEname.exeqaiuyqqkou.exepid process 1868 EQNEDT32.EXE 1788 name.exe 680 qaiuyqqkou.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
qaiuyqqkou.exeqaiuyqqkou.exenetsh.exedescription pid process target process PID 680 set thread context of 788 680 qaiuyqqkou.exe qaiuyqqkou.exe PID 788 set thread context of 1256 788 qaiuyqqkou.exe Explorer.EXE PID 776 set thread context of 1256 776 netsh.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\name.exe nsis_installer_1 \Users\Admin\AppData\Roaming\name.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\name.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\name.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\name.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\name.exe nsis_installer_2 -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2040 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
qaiuyqqkou.exenetsh.exepid process 788 qaiuyqqkou.exe 788 qaiuyqqkou.exe 776 netsh.exe 776 netsh.exe 776 netsh.exe 776 netsh.exe 776 netsh.exe 776 netsh.exe 776 netsh.exe 776 netsh.exe 776 netsh.exe 776 netsh.exe 776 netsh.exe 776 netsh.exe 776 netsh.exe 776 netsh.exe 776 netsh.exe 776 netsh.exe 776 netsh.exe 776 netsh.exe 776 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
qaiuyqqkou.exeqaiuyqqkou.exenetsh.exepid process 680 qaiuyqqkou.exe 788 qaiuyqqkou.exe 788 qaiuyqqkou.exe 788 qaiuyqqkou.exe 776 netsh.exe 776 netsh.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
qaiuyqqkou.exenetsh.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 788 qaiuyqqkou.exe Token: SeDebugPrivilege 776 netsh.exe Token: SeShutdownPrivilege 1256 Explorer.EXE Token: SeShutdownPrivilege 1256 Explorer.EXE Token: SeShutdownPrivilege 1256 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2040 WINWORD.EXE 2040 WINWORD.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
EQNEDT32.EXEname.exeqaiuyqqkou.exeExplorer.EXEnetsh.exeWINWORD.EXEdescription pid process target process PID 1868 wrote to memory of 1788 1868 EQNEDT32.EXE name.exe PID 1868 wrote to memory of 1788 1868 EQNEDT32.EXE name.exe PID 1868 wrote to memory of 1788 1868 EQNEDT32.EXE name.exe PID 1868 wrote to memory of 1788 1868 EQNEDT32.EXE name.exe PID 1788 wrote to memory of 680 1788 name.exe qaiuyqqkou.exe PID 1788 wrote to memory of 680 1788 name.exe qaiuyqqkou.exe PID 1788 wrote to memory of 680 1788 name.exe qaiuyqqkou.exe PID 1788 wrote to memory of 680 1788 name.exe qaiuyqqkou.exe PID 680 wrote to memory of 788 680 qaiuyqqkou.exe qaiuyqqkou.exe PID 680 wrote to memory of 788 680 qaiuyqqkou.exe qaiuyqqkou.exe PID 680 wrote to memory of 788 680 qaiuyqqkou.exe qaiuyqqkou.exe PID 680 wrote to memory of 788 680 qaiuyqqkou.exe qaiuyqqkou.exe PID 680 wrote to memory of 788 680 qaiuyqqkou.exe qaiuyqqkou.exe PID 1256 wrote to memory of 776 1256 Explorer.EXE netsh.exe PID 1256 wrote to memory of 776 1256 Explorer.EXE netsh.exe PID 1256 wrote to memory of 776 1256 Explorer.EXE netsh.exe PID 1256 wrote to memory of 776 1256 Explorer.EXE netsh.exe PID 776 wrote to memory of 1884 776 netsh.exe cmd.exe PID 776 wrote to memory of 1884 776 netsh.exe cmd.exe PID 776 wrote to memory of 1884 776 netsh.exe cmd.exe PID 776 wrote to memory of 1884 776 netsh.exe cmd.exe PID 2040 wrote to memory of 1248 2040 WINWORD.EXE splwow64.exe PID 2040 wrote to memory of 1248 2040 WINWORD.EXE splwow64.exe PID 2040 wrote to memory of 1248 2040 WINWORD.EXE splwow64.exe PID 2040 wrote to memory of 1248 2040 WINWORD.EXE splwow64.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.CVE-2018-0798.4.7145.26581.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\name.exe"C:\Users\Admin\AppData\Roaming\name.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe"C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe" C:\Users\Admin\AppData\Local\Temp\ijarchpuy.du3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe"C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ijarchpuy.duFilesize
5KB
MD55cd14824d28319bfcac1b2e3cd8b532d
SHA149ed57453b9612e0ece3540b9740f613298a8644
SHA256ae65f540f6bef4b0723294768991c65f88095de096c9f636ba4c2de7f095c7bf
SHA51284bdd85fe9e34fcde4ab3abd57d670a7cd2694b160686aac8958c0a00aef066dffaeaa778f8c617431c2af5b4678d292f482a5de81ae33cbfbadce1e930f061b
-
C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exeFilesize
12KB
MD5a8c4431de2a0d976a45531402b8bf869
SHA121c57e797f9bf60103751b697b5e7323b22bee2d
SHA2568e66bc3f9bfd964c231514774c1e01e3a05e7506f7d41938f1e49f1780e4c064
SHA512740a72bb956545da927847a563ddd7cdde39bed50bd678ce2312b2565a9f0eac259c5cb447d860c17bdd7357fcdd8a9634ab68ff07844488b161790004947043
-
C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exeFilesize
12KB
MD5a8c4431de2a0d976a45531402b8bf869
SHA121c57e797f9bf60103751b697b5e7323b22bee2d
SHA2568e66bc3f9bfd964c231514774c1e01e3a05e7506f7d41938f1e49f1780e4c064
SHA512740a72bb956545da927847a563ddd7cdde39bed50bd678ce2312b2565a9f0eac259c5cb447d860c17bdd7357fcdd8a9634ab68ff07844488b161790004947043
-
C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exeFilesize
12KB
MD5a8c4431de2a0d976a45531402b8bf869
SHA121c57e797f9bf60103751b697b5e7323b22bee2d
SHA2568e66bc3f9bfd964c231514774c1e01e3a05e7506f7d41938f1e49f1780e4c064
SHA512740a72bb956545da927847a563ddd7cdde39bed50bd678ce2312b2565a9f0eac259c5cb447d860c17bdd7357fcdd8a9634ab68ff07844488b161790004947043
-
C:\Users\Admin\AppData\Local\Temp\srumdm.hcbFilesize
185KB
MD5e923ffb3d4001485b028c1db73a2ad7d
SHA13974f858666c8ca752a93296a299e15e1c8228c8
SHA25660240106d022b45f07902409a59611dd93c388b982608130194a38d6ee4fcf31
SHA5120ce9501f722d51471fe648b632f7546770570c919ca314f1253344c83c24365ac39fe9fa93a3fda617725131f3898f7cc0fe5250bcc7e586b7ea6a4f54f96c1f
-
C:\Users\Admin\AppData\Roaming\name.exeFilesize
398KB
MD5c25c9877c55e1c43283910d400d91e2c
SHA1e75a014931488473a0f220a81e83742f3afc66b7
SHA25670f32a20f79a7bff35560af814867b770998faf1be40fd3dc04ddab93c45f6e0
SHA51277f8ff58fede53e7109796b9bbc200cd78337d6d654b9801e12e1dcf4acf04d8e7127996d1e4d60265334dac348566518cf32a500c57cbe5c5c61ac6f91a1b04
-
C:\Users\Admin\AppData\Roaming\name.exeFilesize
398KB
MD5c25c9877c55e1c43283910d400d91e2c
SHA1e75a014931488473a0f220a81e83742f3afc66b7
SHA25670f32a20f79a7bff35560af814867b770998faf1be40fd3dc04ddab93c45f6e0
SHA51277f8ff58fede53e7109796b9bbc200cd78337d6d654b9801e12e1dcf4acf04d8e7127996d1e4d60265334dac348566518cf32a500c57cbe5c5c61ac6f91a1b04
-
\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exeFilesize
12KB
MD5a8c4431de2a0d976a45531402b8bf869
SHA121c57e797f9bf60103751b697b5e7323b22bee2d
SHA2568e66bc3f9bfd964c231514774c1e01e3a05e7506f7d41938f1e49f1780e4c064
SHA512740a72bb956545da927847a563ddd7cdde39bed50bd678ce2312b2565a9f0eac259c5cb447d860c17bdd7357fcdd8a9634ab68ff07844488b161790004947043
-
\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exeFilesize
12KB
MD5a8c4431de2a0d976a45531402b8bf869
SHA121c57e797f9bf60103751b697b5e7323b22bee2d
SHA2568e66bc3f9bfd964c231514774c1e01e3a05e7506f7d41938f1e49f1780e4c064
SHA512740a72bb956545da927847a563ddd7cdde39bed50bd678ce2312b2565a9f0eac259c5cb447d860c17bdd7357fcdd8a9634ab68ff07844488b161790004947043
-
\Users\Admin\AppData\Roaming\name.exeFilesize
398KB
MD5c25c9877c55e1c43283910d400d91e2c
SHA1e75a014931488473a0f220a81e83742f3afc66b7
SHA25670f32a20f79a7bff35560af814867b770998faf1be40fd3dc04ddab93c45f6e0
SHA51277f8ff58fede53e7109796b9bbc200cd78337d6d654b9801e12e1dcf4acf04d8e7127996d1e4d60265334dac348566518cf32a500c57cbe5c5c61ac6f91a1b04
-
memory/680-66-0x0000000000000000-mapping.dmp
-
memory/776-80-0x00000000017A0000-0x00000000017BB000-memory.dmpFilesize
108KB
-
memory/776-83-0x00000000009E0000-0x0000000000A73000-memory.dmpFilesize
588KB
-
memory/776-86-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/776-82-0x0000000000C10000-0x0000000000F13000-memory.dmpFilesize
3.0MB
-
memory/776-81-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/776-78-0x0000000000000000-mapping.dmp
-
memory/788-76-0x00000000001A0000-0x00000000001B4000-memory.dmpFilesize
80KB
-
memory/788-74-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/788-75-0x0000000000890000-0x0000000000B93000-memory.dmpFilesize
3.0MB
-
memory/788-72-0x000000000041F110-mapping.dmp
-
memory/1248-85-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmpFilesize
8KB
-
memory/1248-84-0x0000000000000000-mapping.dmp
-
memory/1256-87-0x0000000007090000-0x0000000007199000-memory.dmpFilesize
1.0MB
-
memory/1256-77-0x0000000006340000-0x00000000064A2000-memory.dmpFilesize
1.4MB
-
memory/1256-88-0x0000000007090000-0x0000000007199000-memory.dmpFilesize
1.0MB
-
memory/1788-61-0x0000000000000000-mapping.dmp
-
memory/1884-79-0x0000000000000000-mapping.dmp
-
memory/2040-54-0x0000000072661000-0x0000000072664000-memory.dmpFilesize
12KB
-
memory/2040-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2040-57-0x00000000762D1000-0x00000000762D3000-memory.dmpFilesize
8KB
-
memory/2040-55-0x00000000700E1000-0x00000000700E3000-memory.dmpFilesize
8KB
-
memory/2040-58-0x00000000710CD000-0x00000000710D8000-memory.dmpFilesize
44KB
-
memory/2040-89-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2040-90-0x00000000710CD000-0x00000000710D8000-memory.dmpFilesize
44KB